AWS::SecretsManager::ResourcePolicy - AWS CloudFormation

AWS::SecretsManager::ResourcePolicy

Attaches a resource-based permission policy to a secret. A resource-based policy is optional. If a secret already has a resource policy attached, you must first remove it before attaching a new policy using this CloudFormation resource. You can remove the policy using the console, CLI, or API. For more information, see Authentication and access control for Secrets Manager.

Required permissions: secretsmanager:PutResourcePolicy, secretsmanager:GetResourcePolicy. For more information, see IAM policy actions for Secrets Manager and Authentication and access control in Secrets Manager.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::SecretsManager::ResourcePolicy", "Properties" : { "BlockPublicPolicy" : Boolean, "ResourcePolicy" : Json, "SecretId" : String } }

YAML

Type: AWS::SecretsManager::ResourcePolicy Properties: BlockPublicPolicy: Boolean ResourcePolicy: Json SecretId: String

Properties

BlockPublicPolicy

Specifies whether to block resource-based policies that allow broad access to the secret. By default, Secrets Manager blocks policies that allow broad access, for example those that use a wildcard for the principal.

Required: No

Type: Boolean

Update requires: No interruption

ResourcePolicy

A JSON-formatted string for an AWS resource-based policy. For example policies, see Permissions policy examples.

Required: Yes

Type: Json

Update requires: No interruption

SecretId

The ARN or name of the secret to attach the resource-based policy.

For an ARN, we recommend that you specify a complete ARN rather than a partial ARN.

Required: Yes

Type: String

Minimum: 1

Maximum: 2048

Update requires: Replacement

Return values

Ref

When you pass the logical ID of an AWS::SecretsManager::ResourcePolicy resource to the intrinsic Ref function, the function returns the ARN of the configured secret, such as:

arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c

This enables you to reference a secret you created in one part of the stack template from within the definition of another resource later, in the same template. You would typically use this with the AWS::SecretsManager::SecretTargetAttachment resource type.

For more information about using the Ref function, see Ref.

Fn::GetAtt

Examples

Attaching a resource-based policy to an RDS database instance secret

The following example shows how to attach a resource-based policy to a secret. The JSON request string input and response output displays as formatted with white space and line breaks for better readability. Submit your input as a single line JSON string.

JSON

{ "MySecret": { "Type": "AWS::SecretsManager::Secret", "Properties": { "Description": "This is a secret that I want to attach a resource-based policy to" } }, "MySecretResourcePolicy": { "Type": "AWS::SecretsManager::ResourcePolicy", "Properties": { "BlockPublicPolicy": "True", "SecretId": { "Ref": "MySecret" }, "ResourcePolicy": { "Version": "2012-10-17", "Statement": [ { "Resource": "*", "Action": "secretsmanager:DeleteSecret", "Effect": "Deny", "Principal": { "AWS": { "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:root" } } } ] } } } }

YAML

--- MySecret: Type: AWS::SecretsManager::Secret Properties: Description: This is a secret that I want to attach a resource-based policy to MySecretResourcePolicy: Type: AWS::SecretsManager::ResourcePolicy Properties: BlockPublicPolicy: True SecretId: Ref: MySecret ResourcePolicy: Version: '2012-10-17' Statement: - Resource: "*" Action: secretsmanager:DeleteSecret Effect: Deny Principal: AWS: Fn::Sub: arn:aws:iam::${AWS::AccountId}:root

See also